---
- name: ensure letsencrypt is up-to-date
  apt:
    name: certbot
    state: latest

- name: create letsencrypt webroot
  file:
    path: /var/www/letsencrypt
    state: directory
    owner: root
    group: www-data
    mode: '0775'

- name: ensure all the domains have a tls certificate
  shell: "[ -f /etc/letsencrypt/live/{{ item.domain_name }}/fullchain.pem ] || certbot certonly --agree-tos -m {{ item.cert_email }} --webroot -w /var/www/letsencrypt -d {{ item.domain_name }}"
  when: item.cert_email is defined
  with_items: "{{ gateway.proxied_services }}"
  notify: reload_nginx